Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts on WordPress Sites
What Happened — Threat actors are actively exploiting a critical vulnerability in the WP Maps Pro WordPress plugin to create unauthorized administrator accounts on vulnerable sites. The flaw can be triggered remotely without authentication, granting full control of the WordPress admin console.
Why It Matters for TPRM —
- Compromise of a widely‑used third‑party plugin can cascade to dozens of downstream customers.
- Unauthorized admin access enables data exfiltration, site defacement, and ransomware deployment.
- The issue highlights the need for continuous monitoring of third‑party components in web‑based supply chains.
Who Is Affected — Digital agencies, e‑commerce platforms, media publishers, SaaS providers, and any organization running WordPress sites that have installed WP Maps Pro.
Recommended Actions —
- Immediately update WP Maps Pro to the vendor‑released patch (or remove the plugin if no fix is available).
- Conduct a sweep of all admin accounts for unknown users and enforce strong password policies.
- Deploy web‑application firewall (WAF) rules to block suspicious requests to the plugin’s endpoints.
- Incorporate plugin version monitoring into your third‑party risk program.
Technical Notes — The exploit leverages an unauthenticated remote code path that writes a new user with the administrator role. No public CVE identifier has been assigned yet. Compromised sites risk exposure of all site data, including user credentials, payment information, and proprietary content. Source: The Hacker News